My cert gets rejected whenever I try to upload to cvs.fp.o. The CA certs (~/.fedora-{server,upload}-ca.cert) are the newest from the wiki, and the user cert (~/.fedora.cert) is fresh from FAS: {{{ $ echo test > test $ md5sum test d8e8fca2dc0f896fd7cb4cb0031ba249 test $ curl -v -k --cert ~/.fedora.cert --fail -F "name=test" -F "md5sum=d8e8fca2dc0f896fd7cb4cb0031ba249" -F "file=@test" https://cvs.fedoraproject.org/repo/pkgs/upload.cgi * About to connect() to cvs.fedoraproject.org port 443 (#0) * Trying 209.132.176.51... connected * Connected to cvs.fedoraproject.org (209.132.176.51) port 443 (#0) * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Certificate is signed by an untrusted issuer: 'E=admin@fedoraproject.org,CN=Fedora Project CA,OU=Fedora Project CA,O=Fedora Project,L=Raleigh,ST=North Carolina,C=US' * SSL certificate verify ok. * NSS error -12270 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. }}} NSS error -12270 is "SSL peer rejected your certificate as revoked." http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html